These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
Previous page12
 

Forum Devs - are you aware of website running on https?
Author
Previous Topic Next Topic
Jeremy Winburg
#21 - 2011-09-12 08:33:11 UTC
Caius Sivaris
Dark Nexxus
S0ns Of Anarchy
#22 - 2011-09-12 08:54:59 UTC
Drokar Gazer wrote:
i am not sure it is an issue nowadays, but back in the day, running an entire website on secure protocol is extremely expensive bandwidth.


TLS doesn't use significantly more bandwidth. A lot more CPU, yes.

Quote:

Typically sites only use SSL for login to mask user/password then revert back to non-secure unless you are logging into account management.


Sites coded by retards such as yourself maybe. Doing what you proposes protects the password but not the session cookie, which is all you need to impersonate someone.

Sites with many orders of magnitudes more bandwidth problems like Google+ are SSL/TLS only for good reasons.
Snurch
Hedion University
Amarr Empire
#23 - 2011-09-12 09:15:21 UTC
Couple of thoughts I wanted to inject into this thread:

This is 2011 people, running any site that has even the slightest need for keeping its communication private should be secured. With todays prevalence of public and poorly encrypted wifi networks the chance of people snooping on your traffic are not as small as you might think. Even if you only secure the exchange of login credentials, you will still need to somehow attach that session to the unsecured connection, which can then be hijacked like that Firefox extension has proven for Facebook/Twitter (and forced them to go HTTPS all the way)

Talia Nachtigall wrote:
I'm going to chime in here because I do have some knowledge on the subject. I personally run a forum & blog with SSL active the entire time. I do this because I believe in anonymity, privacy, and security. Believe it or not - a moderate estimate would be $800.00 annually for an SSL certificate. I myself pay roughly $400.00/yr through Comodo. I do truly wish every website was forced to use HTTPS to be honest.


$400-800/y for an SSL certificate?! There are cheaper ways to get SSL certificates. And I think you're insane for thinking that forcing every website to pay that much on a yearly basis is a good idea :) It may be worth it for some, but I can see many, many websites going offline if this would be enforced.

The sad part is that the way SSL certificates work are a huge flaw in the current SSL framework, as recent cases with Comodo issuing false certificates, and one CA (DigiNotar) even apparently getting it's entire signing infrastructure compromised have shown. Yes there are ways to deal with fraudulent certificates, but these are apparently not practical and not used - so people had to go and update their browsers or OS to protect themselfes from these certificates.

It currently seems that SSL prices are on the rise, while CA reliability is proving to be a huge issue, and it makes me wonder what justifies the $400/y pricetag.
kerradeph
Aliastra
Gallente Federation
#24 - 2011-09-12 23:45:23 UTC
most sites have a certificate for HTTPS already, so getting them to run all HTTPS would be easy. and as is, there are much cheaper certificates. I think web wide HTTPS is a great idea. and once IPv6 is implemented globally it will provide more security for people like us. it will also make the current method of man in the middle attacks nearly impossible.
Leon Razor
Measure Zero
#25 - 2011-09-13 00:55:01 UTC
I'm actually glad to see this. I remember reading an article a little while back detailing how full site ssl encryption is not as much of an burden as it used to be, and in fact advocated that sites should try and support it by working on other, more significant and often overlooked sources of overhead. I wish I could find the article again (I think it may have been written by someone at Google).
Meryl SinGarda
Belligerent Underpaid Tactical Team
#26 - 2011-09-13 01:13:11 UTC
Din'stalor Alaric wrote:
Troll ?

Only after reading this thread twice i found no reference to internet spaceships, goon scams or 'help im stuck in a wormhole'.

Why dont we stop worrying about the new forums, which work, and get back to what eve is about, the spaceships.



Yeah, I totally saw this big blue round object with flashing lights all over it. And upon getting closer, I could see little industrial civilizations. What an interesting spaceship that was!

Oh and this one time, I found a gateway to some uncharted slice of space. Craziest spaceship I've ever seen, all round and gyrating, like it wanted my ship inside of it!
Denidil
Cascades Mountain Operatives
#27 - 2011-09-13 01:59:47 UTC
Drokar Gazer wrote:
Syn Fatelyng wrote:
Consider that certain information on EVE Gate is sensitive, such as Corporation and Alliance EVE-mails that someone may check through the website. While the forum itself may not be as sensitive (for some), other areas pose an information security risk if left unencrypted.

EVE spies snooping on connections, wireless or not, is far from unheard of in this game.


well that does make sense, but i was on https even when NOT logged in... that cant be cheap.


yes it can, the overhead of the secure connection is meaningless these days. it might be a 1% increase in bandwidth.

Tedium and difficulty are not the same thing, if you don't realize this then STFU about game design.
Denidil
Cascades Mountain Operatives
#28 - 2011-09-13 02:02:25 UTC
Caius Sivaris wrote:
Drokar Gazer wrote:
i am not sure it is an issue nowadays, but back in the day, running an entire website on secure protocol is extremely expensive bandwidth.


TLS doesn't use significantly more bandwidth. A lot more CPU, yes.

Quote:

Typically sites only use SSL for login to mask user/password then revert back to non-secure unless you are logging into account management.


Sites coded by retards such as yourself maybe. Doing what you proposes protects the password but not the session cookie, which is all you need to impersonate someone.

Sites with many orders of magnitudes more bandwidth problems like Google+ are SSL/TLS only for good reasons.


well, technically a well designed site will secure that session cookie to a specific IP and duration.

Tedium and difficulty are not the same thing, if you don't realize this then STFU about game design.
Simetraz
State War Academy
Caldari State
#29 - 2011-09-13 02:16:10 UTC
I don't care, HTTPS allows me to read and post at work.
The rest just doesn't matter.

EVERYBODY KNOWS
Optional Patch
Republic Military School
Minmatar Republic
#30 - 2011-09-13 02:22:49 UTC
Syn Fatelyng wrote:
Consider that certain information on EVE Gate is sensitive, such as Corporation and Alliance EVE-mails that someone may check through the website. While the forum itself may not be as sensitive (for some), other areas pose an information security risk if left unencrypted.

EVE spies snooping on connections, wireless or not, is far from unheard of in this game.


Off-topic but...

A damn fine portrait you have created there Syn.
Talia Nachtigall
State War Academy
Caldari State
#31 - 2011-09-13 10:49:40 UTC  |  Edited by: Talia Nachtigall
Snurch wrote:
$400-800/y for an SSL certificate?! There are cheaper ways to get SSL certificates. And I think you're insane for thinking that forcing every website to pay that much on a yearly basis is a good idea :) It may be worth it for some, but I can see many, many websites going offline if this would be enforced..


There are of course cheaper SSL certificates available. I use a Wildcard because I have several sub-domains and that is why I pay over $800.00/year. You can get SSL certificates for around $200.00/year.

Optional Patch wrote:

Off-topic but...

A damn fine portrait you have created there Syn.


Mine is better. Lol

Don't pray for my soul. ;)
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#32 - 2011-09-13 11:54:29 UTC
You can get certs for sub $100 a year, or just have a self signed cert. Though that will throw up security warnings. I'm running a basic cert from godaddy on my personal site. used for https, smtps and imaps Big smile

Problem is, SSL is used in HTTPS for 2 different things. Encryption (not broken yet, not that likely to be broken any time soon) And Authentication (This is where the problems with the certificate authorities are an issue)

The biggest problem with SSL, on the current internet, is that each HTTPS site requires its own IP address. Pretty much means that all the cheap hosting plans won't/can't do it. While it's possible to have them on the same ip, it requires the certificate to be issued for each and every site involved. Which means a reissue when a new site is added. You're not going to get that on a cheap hosting plan. (where you often have 70 sites on a single box)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Previous page12